Not yet a Member?
HR Magazine is highlighting the next generation of HR leaders.
Is your employee handbook ready for the New Year? With SHRM’s Employee Handbook Builder get peace of mind that your handbook is up-to-date.
Get the HR education you need without travel expenses or time out of the office.
Join us in Chicago for the latest trends and technology in talent management, and what to expect in the future.
In a recent report, auditing giant KPMG identified the five most common mistakes managers make when trying to secure their organizations’ IT networks against cybercriminals.
The report asserts that company executives should exhibit leadership in cybersecurity with regard to allocating resources, governance and decision-making, as well as building an organizational culture in which everyone is aware of his or her responsibilities.
“Cybersecurity is a challenge for the leadership of many organizations. This, however, cannot be an excuse to divest responsibility to the ‘experts,’ ” said John Hermans, cybersecurity lead partner for KPMG.
Leaving the protection of IT networks to a specialized department of experts is just one of the main mistakes KPMG highlighted in its report. The other most common mistakes are insisting on total security, relying on cyberdefense tools, trying to beat the attackers and aiming to just comply with cybersecurity regulations.
Shooting for 100 Percent Security
Every large well-known organization will have information stolen and, possibly, made public, KPMG said. Coming to the realization that 100 percent protection against cybercrime is neither a feasible nor an appropriate goal is an important step toward a more effective policy, the report said, because it allows executives to make choices about defending against attacks.
A good defense is based on understanding organizational vulnerability, establishing mechanisms to detect an imminent or actual breach, and immediately confronting intruders to minimize loss, KPMG said.
In practice, the emphasis is often skewed toward prevention. “Once you understand that perfect security is an illusion and that cybersecurity is ‘business as usual,’ however, you also understand immediately that more emphasis must be placed on response,” the report explained.
Feeling Safe Behind Technology
Effective cybersecurity depends less on technology than leaders may think, KPMG said.
The cybersecurity industry is rife with specialist suppliers that sell technical tools, some of which are essential for basic security, but, according to the report, “they are not the basis of a holistic and robust cybersecurity policy and strategy.”
A company’s IT department should employ a robust cyber defense, but employees’ awareness of how they can affect cybersecurity is critical. “The human factor is and remains, for both IT professionals and the end user, the weakest link in relation to security.”
Cyberdefense tools will be effective only if people understand how to keep their networks safe. One of the most persistent risks companies face is when hackers manipulate employees to gain access to systems.
“This is often about changing the culture so that employees are alert to the risks and proactive in raising these with supervisors,” KPMG said.
Outgunning the Attackers
An organization’s cybersecurity policy should prioritize investment into understanding the value of information assets and the implication of any loss on the core business, rather than try to cover all risks, since it’s impossible to cover all assets all the time, the report authors said.
“In short, managers should be aware of the latest techniques but should not let this distract them from protecting their most important assets,” KPMG said.
Managers should ask:
Effective cybersecurity policy and strategy should be based on continual learning and improvement, not solely on monitoring compliance, according to KPMG.
The report suggested that organizations:
Calling in the Experts
Cybersecurity should be viewed as an attitude, instead of a department of specialist professionals, the report said. Putting the onus on one department may result in a false sense of security, according to KPMG, and foster a lack of responsibility in the rest of the company.
The report suggested that businesses make cybersecurity part of HR policy and, in some cases, link it to compensation. “It also means that cybersecurity should have a central place when developing new IT systems, and not, as is often the case, be given attention only at the end of such projects.”
What to Do Next
To determine your organization’s risk profile, KPMG suggests asking the following questions:
Depending on what kind of risk profile your organization develops, your cybersecurity budget should probably be 3 percent to 5 percent of your total IT budget, KPMG said. The report cautioned that a significant part of such a budget is often spent on implementing technological solutions and solving past problems.
“Ensuring your funds are spent appropriately on future system solutions is only part of the answer, however. Without good governance, proper cybersecurity processes and, of course, the appropriate culture and behaviors, these technological solutions will not prove their money’s worth.”
Roy Maurer is an online editor/manager for SHRM.
Follow him on Twitter
Protect Your Business from Cyberthreats,
SHRM Online Safety & Security, December 2012
Cybercrime 2012: Malware Threatens Social Media, Cloud Services,
SHRM Online Safety & Security, December 2012
Employer Beware: Spyware Comes to Mobile,
SHRM Online Technology, December 2012
Company Data Endangered by Lack of BYOD Security,
SHRM Online Safety & Security, August 2012
SHRM Online Safety & Security page
You have successfully saved this page as a bookmark.
Please confirm that you want to proceed with deleting bookmark.
You have successfully removed bookmark.
Please log in as a SHRM member before saving bookmarks.
Your session has expired. Please log in again before saving bookmarks.
Please purchase a SHRM membership before saving bookmarks.
An error has occurred
Recommended for you
Become a SHRM Member
SHRM’s HR Vendor Directory contains over 3,200 companies